Balada

Balada is a malicious software (malware) involved in an extensive ongoing campaign, primarily targeting vulnerabilities in WordPress plugins and themes. During the first half of 2023, SiteCheck detected a total of 60,697 obfuscated script injections attributed to Balada Injector, accounting for 15.63% of all malware injections. In addition, 84,787 external script tags associated with this malware were also identified during the same period. The malware exploits flaws in websites, injecting scripts that can disrupt operations, steal sensitive information, or even hold data for ransom. The latest iteration of the Balada campaigns exploited a known vulnerability, CVE-2023-6000, to inject the initial stage of malicious code into websites. This vulnerability was found in the Popup Builder plugin for WordPress, which allowed for cross-site scripting (XSS) attacks. Balada's injected scripts were decoded using CyberChef, a tool used for digital investigations, helping researchers extract Indicators of Compromise (IoCs) from the HTML code of compromised sites. Some of the IoCs related to Balada include specialcraftbox[.]com, from[.]forwardstarlight[.]com, page[.]bridgelinering[.]com, among others. The impact of the Balada Injector has been substantial. Security researchers estimate that over 6,000 websites have been infected in its most recent campaign alone. The malware often manifests as a pop-up launched on an infected website. Comprehensive research and analysis of the Balada Injector can be found in detailed reports published on Sucuri and Pulsedive blogs. As the threat continues, it underscores the importance of maintaining up-to-date security measures and practices, especially for sites utilizing WordPress plugins and themes.